Encryption and Key Management
We encrypt data in transit and at rest across the platform. Supabase, Azure Entra, and managed service providers supply the primitives; we orchestrate keys and rotation policies centrally.
Data in Transit
- Client applications enforce TLS 1.2+ with certificate pinning on mobile builds.
- Edge functions validate HMAC signatures from external webhooks before processing payloads.
- LiveKit sessions use DTLS-SRTP; tokens are short-lived and scoped to a single encounter.
Data at Rest
- Supabase Postgres and storage buckets use AES-256 encryption with managed keys.
- Backups are encrypted and replicated to a secondary region. Snapshot hashes are logged to the compliance ledger.
- Secrets (API keys, service tokens) live in Infisical with automatic rotation reminders.
Key Lifecycle
| Key Type | Source | Rotation | Notes |
|---|---|---|---|
| Database encryption keys | Supabase | Managed by Supabase | We track rotation events in audit logs. |
| Edge function signing keys | Profound Health KMS | 90 days | Used for webhook verification and internal JWTs. |
| LiveKit API keys | LiveKit Cloud | 180 days | Stored in Infisical, rotated during maintenance windows. |
| Twilio/SendGrid credentials | Vendor portals | 365 days or upon incident | Access requires dual control via Entra PIM. |
Application Secrets
- Edge functions retrieve secrets via
INFISICAL_TOKEN; never baked into source control. - Portals rely on Entra-assigned managed identities for server-side operations instead of static keys.
- Mobile apps download configuration during authenticated bootstrap to prevent reverse engineering of keys.
Deterministic Environments
Local development mirrors production by loading the same secret names from the Dev Infisical config. Missing secrets fail fast so issues surface before deployment.
Monitoring & Alerting
- Key usage is logged; anomalous patterns trigger PagerDuty alerts.
- Rotation failures create blocking tasks in the internal ops portal until resolved.
- Security hardening scripts verify that no expired certificates remain in use.
By adhering to disciplined key management, we maintain the chain of trust required for HIPAA-aligned operations.
Last updated October 1, 2025 by Profound Health.
